Swimlane AI Agents Case Management Extension

overview the swimlane ai agents case management extension provides a unified set of hero ai agents with a user interface that accelerates soc analyst workflows for triage, investigation, and incident response the extension includes three specialized hero ai agents that work together to maximize analyst efficiency and reduce mean time to respond (mttr) you can manage these ai agents in the following ways enable automatic analysis for all alerts disable analysis entirely run analysis selectively based on playbook criteria use the run hero ai analysis button for on demand analysis on individual cases prerequisites install the soc solution in swimlane turbine before installing the ai agents case management extension how it works the ai agents case management extension integrates with the case and incident management (cim) application in the soc solutions bundle when a signal is created in cim, you can trigger hero ai analysis automatically or manually to get comprehensive security insights the extension processes cases as follows receives a tracking id from the cim application for a case or signal executes multiple hero ai analyses in parallel or sequence signal verdict and threat intelligence analysis mitre att\&ck & d3fend analysis complete signal analysis returns enriched results to the same cim record with actionable insights the extension includes the hero ai soc extension applet, which provides a user interface for viewing and interacting with ai generated analysis results directly within case records what's included the ai agents case management extension includes the following components hero ai soc extension applet for displaying analysis results in cim cases on demand hero analysis playbook for manual analysis triggers automated hero ai analysis flow for automatic analysis on alert ingestion four specialized builder components (see components section) automated hero ai analysis sensor for automated triggering soc solution hero ai configuration data object asset for configuration support fields for storing analysis results and driving the widget components the extension includes the following builder components hase hero ai analysis description orchestrates all three hero ai analyses (signal verdict and threat intelligence, mitre analysis, and complete signal analysis) and returns the results to the cim record inputs tracking id from the cim application outputs hero ai analysis results written back to the cim record usage this is the main component that should be called to perform comprehensive hero ai analysis on a case hase hero ai signal verdict and threat intelligence analysis description performs detailed threat analysis by autonomously correlating and weighting threat intelligence from multiple sources capabilities case classification (benign, suspicious, or malicious) ai confidence score (0 10) based on threat intelligence correlation source correlation from multiple threat intelligence providers user defined weighting for providers and observable types ai generated summary analysis hase hero ai complete signal analysis description provides comprehensive signal analysis including immediate verdict, severity rating, and actionable recommendations capabilities visual severity rating and verdict nist aligned action recommendations ai confidence score and data correlation automated case title generation affected entities visualization hase hero ai mitre analysis description maps and enriches mitre att\&ck ttps (tactics, techniques, and procedures) and provides d3fend defensive recommendations capabilities automatic t code mapping from security alerts contextual enrichment using threat intelligence mitre d3fend defensive recommendations enhanced threat context for security reports extract parse json from text description utility component for parsing json data from text fields, used by other hero ai components hero ai agents the extension is driven by three specialized hero ai agents 1\ investigation agent purpose provides immediate visual verdict, severity, and actionable recommended actions for every security case capabilities visual severity rating & verdict displays immediate severity and case verdict (malicious, suspicious, or benign) for quick prioritization nist aligned action recommendations & validation checks provides clear, actionable response steps aligned with nist cybersecurity framework phases (containment, eradication, recovery) and associated validation checks ai confidence score & data correlation provides a quantifiable confidence level (0 10) by correlating data from knowledge base articles historical learning from past cases current case details and context automated case title & affected entities visual automatically generates a concise, descriptive case title and visually highlights affected assets/users for quick identification use cases initial case triage and prioritization quick severity assessment automated case documentation affected entity identification 2\ verdict and threat intelligence analysis agent purpose delivers an investigation case summary and final threat classification, assigning a quantifiable ai confidence score based on deep data correlation capabilities case classification & hero ai confidence score classifies the case as benign, suspicious, or malicious provides a quantifiable confidence score (0 10) based on threat intelligence correlation ai generated summary provides a comprehensive summary analysis of the case data correlation uses a wide range of data points including knowledge articles from your knowledge base historical outcomes from similar cases correlated manual verdicts from analysts threat intelligence integration incorporates data from intelligence sources including virustotal recorded future mandiant abuseipdb urlhaus customer connected 3rd party feeds source correlation correlates intelligence from multiple sources and provides weighted analysis user defined weighting allows users to define and change threat intelligence providers observable types (ip, domain, hash, url, etc ) weights in the threat formula use cases deep threat analysis and classification threat intelligence correlation case verdict determination confidence based prioritization 3\ mitre att\&ck & d3fend agent purpose maps and enriches associated ttps (tactics, techniques, and procedures) to enhance threat context, providing appropriate defensive d3fend recommendations capabilities t code mapping automatically maps mitre att\&ck ttps (t codes) using pre existing data from the 3rd party security alert contextual enrichment from hero ai analysis contextual enrichment hero ai further enriches the mapping using intelligence from other security cases current threat feeds internal knowledge base articles defense recommendations automatically includes mitre d3fend recommendations in the output analysis security reports proactive defensive actions use cases threat actor technique identification attack pattern mapping defensive strategy recommendations security report generation threat hunting preparation installation prerequisites before you install the extension, ensure the following the soc solutions bundle is installed in your turbine instance the case and incident management (cim) application is configured and operational hero ai is enabled and configured in your turbine instance installation steps install from library to install the extension navigate to the swimlane content library from your tenant click library click swimlane content find and select ai agents case management extension from the list of solutions click install note if content already exists in your environment, you may be prompted to overwrite it to avoid overwriting content, deselect items you don't want to overwrite if you deselect too many required items, the solution won't install completely enable the playbooks that were installed with the extension verify the installation confirm the hero ai soc extension applet appears in your cim application verify all builder components are available in canvas check that the automated hero ai analysis sensor is configured after installation, integrate the extension into the case and incident management solution integration add the applet to the cim application to add the hero ai soc extension applet to your cim application open the case and incident management (cim) application open the application editor drag the hero ai soc extension applet to the case record layout save the application layout add the on demand analysis button to enable manual hero ai analysis, add a button to trigger the analysis in the cim application editor, add a new button name the button analyze with hero ai or run hero ai analysis configure the button action select the hase playbook select on demand hero analysis as the playbook flow save the button configuration note the on demand hero analysis playbook is installed with the extension and doesn't require additional configuration configuration configure included assets to use third party tools for enrichment and analysis, configure the assets for the tools you want to use to configure assets navigate to orchestration > assets configure all supplied assets for third party technologies you want to use virustotal recorded future abuse ch urlhaus ipqualityscore other threat intelligence providers configure custom assets the extension includes custom assets that let you configure variables used in playbooks or components without editing the playbooks or components directly soc solution hero ai configuration asset the soc solution hero ai configuration asset (also called the hase asset ) contains the following configuration options threat intelligence weights configure weights for your threat intelligence providers weights use a sliding scale and can be any number weights are relative to each other for example, if one provider has a weight of 10 and another has 5, the first provider has twice the influence to add new threat intelligence providers, add them to the threat intelligence weights variable auto analysis enable or disable automated hero ai analysis this is set to false by default to prevent automatic analysis until you enable it set this to true after you configure the automated flow (see automated flow configuration) similar records match percentage threshold set the similarity threshold for finding similar records lower values return more similar records higher values return fewer but more closely matched records adjust this based on your data if records are typically not very similar, lower this value to see results ti primary intelligence providers asset to change the primary provider for any threat intelligence types, configure them in this asset ensure that valid and configured enrichment sources exist for the providers you select configure automated flow to enable automated hero ai analysis when new alerts are ingested, configure the soc solution playbook to emit an event that triggers the hero ai analysis flow to configure the automated flow open your soc solution playbook in canvas find the completion of your observable view, which is the end of the case ingestion lifecycle find the update action that occurs after observable completion after that update action, add an emit event action select emit to hero ai analysis select existing flow event select automated hero ai analysis important after adding the event emitter, you may not see the event in the dropdown immediately this is a known platform bug to work around it save the playbook reload or refresh the page the events should now appear in the dropdown configure the emitter to pass the tracking id from the record event trigger after you configure the event emitter, enable automated analysis by setting the auto analysis toggle to true in the soc solution hero ai configuration asset how automated analysis works when a new alert comes in it goes through the normal soc solution ingestion flow observable processing completes the "automated hero ai analysis" event is emitted the hero ai analysis flow is triggered automatically analysis runs through the hero ai analysis component if you set auto analysis to false, the automated flow is disabled and analysis runs only when you trigger it manually via the button component configuration the extension includes several builder components that follow a similar pattern they collect data, use an ai prompt, parse the output, and return results most components do not require editing, but there are optional configuration points hase hero ai analysis component main orchestration component that calls the other analysis components generally does not require editing contains the overall flow logic hase hero ai signal verdict and threat intelligence analysis component handles signal and threat intelligence verdict analysis optional configuration if you need to edit the ai prompt, it lives in the "hero ai analysis" section at the bottom of the component the prompt includes variables that get populated from kbas, threat intelligence research, similar signals, and other data sources generally does not require editing unless you want to customize the prompt hase hero ai mitre analysis component maps and enriches mitre att\&ck techniques mitre data sources primary looks for mitre att\&ck techniques in the mitre attack techniques field in the soc solution alternative can extract t codes (like t1001 123) from the raw alert if they're not mapped to the field optional configuration to extract t codes from raw alerts, go to "get current record" action and add the raw event field this will automatically scan the raw alert for t codes note mapping the raw event causes a large increase in token usage, but it's useful if you're having trouble extracting mitre data normally generally does not require editing unless you need to extract t codes from raw alerts hase hero ai complete signal analysis component provides recommendations and complete signal analysis can also map in the raw alert, but there's generally not a good reason to do so generally does not require editing component pattern all components follow the same pattern collect data from the case record use an ai prompt with variables parse the prompt output return structured results you typically don't need to edit these components unless you want to customize the prompts or add additional data sources usage trigger manual analysis to manually trigger hero ai analysis for a case open a case or signal in the cim application click the analyze with hero ai button (or the name you configured) wait for analysis to complete (typically 1 2 minutes; ai prompts take longer than standard integrations) review the results in the hero ai soc extension applet data collection when you trigger hero ai analysis, it collects the following data from the case record all case data and context linked knowledge base articles (kbas) threat intelligence observables associated with the case mitre att\&ck techniques (if present in the case) similar records from historical cases other relevant case metadata this data collection enables the ai agents to provide accurate verdicts and recommendations automated analysis automated analysis runs automatically when new alerts are ingested, provided you have configured the event emitter in your soc solution playbook (see automated flow configuration above) set the auto analysis toggle to true in the soc solution hero ai configuration asset when automated analysis is enabled, every new alert that completes the observable ingestion lifecycle will automatically trigger hero ai analysis without manual intervention playbook integration use the hero ai components in your playbooks \# example playbook step \ name run hero ai analysis component hase hero ai analysis inputs tracking id "{{ case tracking id }}" workflow integration the extension integrates with the soc solutions bundle workflow alert/phishing email → signal created in cim → hero ai analysis triggered → results enriched → analyst review → case escalation/resolution integration points alert triage solution hero ai analysis can be triggered automatically when alerts are triaged phishing triage solution analysis can run on phishing email signals threat intelligence solution results incorporate ti enrichment data case and incident management analysis results are displayed in case records output and results analysis results structure each hero ai analysis returns structured results displayed in the hero ai soc extension applet verdict analysis verdict malicious, suspicious, or benign classification verdict confidence score separate confidence score specific to the verdict analysis overall confidence score aggregate confidence score (0 10) that includes all analyses (verdict, threat intelligence, mitre, and remediation actions) total verdict final classification based on all analyses threat intelligence analysis threat intelligence correlation results confidence score specific to threat intelligence analysis (may differ from verdict confidence) source attribution from multiple threat intelligence providers mitre att\&ck analysis mitre att\&ck technique mappings (displayed as boxes, one per technique) each technique box includes technique information defensive recommendations (d3fend) for that technique note mitre analysis does not have a separate confidence score recommended actions nist aligned action recommendations (containment, eradication, recovery) copy to playbook button copy to clipboard button (intended for pasting into hero ai companion for blocking actions) similar records widget displays the top 10 records that hero ai found similar to the current case shows metadata about each similar record in a table format these records are not linked (not reference fields) they're informational only used by hero ai as context when determining verdict and confidence scores support fields hero ai verdict contains the verdict data (used for orchestration/reporting) hero ai verdict confidence contains the verdict confidence score (used for orchestration/reporting) overall confidence contains the overall confidence score (used for orchestration/reporting) these fields drive the widget display and can be used for playbook orchestration or reporting purposes widget display the hero ai soc extension applet includes a widget that displays all analysis results the widget is automatically populated when analysis completes you generally don't need to edit the widget it's configured to display results correctly the widget shows verdict, confidence scores, recommendations, mitre techniques, and similar records understanding confidence scores it's important to understand that there are multiple confidence scores verdict confidence score specific to the verdict analysis threat intelligence confidence score specific to the threat intelligence correlation overall confidence score aggregate score that combines all analyses including remediation actions, verdict, threat intelligence, and mitre analysis the overall confidence score represents hero ai's confidence in all the work it has done, not just the verdict best practices when to use hero ai analysis high volume alerts use automated analysis to triage large volumes of alerts complex cases request analysis for cases requiring deep investigation knowledge gaps use analysis when analyst expertise is limited on specific threat types consistency ensure consistent analysis approach across all cases optimization tips configure provider weights adjust threat intelligence provider weights based on your organization's trusted sources review confidence scores use confidence scores to prioritize analyst attention combine with manual analysis use hero ai as a starting point, not a replacement for analyst judgment update knowledge base regularly update knowledge base articles to improve ai accuracy monitor performance track analysis accuracy and adjust configurations as needed performance considerations analysis typically completes in 1 2 minutes per case (longer than standard integrations because it uses ai prompts) multiple analyses can run in parallel for different cases consider rate limits when enabling automated analysis for high volume environments mapping raw events for mitre t code extraction significantly increases token usage only use this if necessary cache results when appropriate to reduce redundant analysis troubleshooting common issues issue hero ai analysis not triggering solution verify the hero ai soc extension applet is installed in the cim application solution check that hero ai is enabled in your turbine instance solution verify component dependencies are properly configured issue low confidence scores solution ensure threat intelligence providers are properly configured solution review knowledge base articles for relevant content solution check that case data includes sufficient observables and context issue missing threat intelligence data solution verify threat intelligence providers are connected and operational solution check provider api keys and rate limits solution review observable extraction from alerts and emails issue mitre att\&ck mappings incomplete solution ensure source alerts include mitre att\&ck data in the mitre attack techniques field solution if t codes (like t1001 123) are in the raw alert but not mapped to the field, configure the mitre component to extract from raw event (see component configuration section) solution verify knowledge base contains relevant attack pattern information solution check that hero ai has access to current mitre att\&ck framework data issue event emitter not appearing in dropdown after adding to soc solution playbook solution this is a known platform bug save the playbook, reload/refresh the page, and the events should appear in the dropdown solution this bug is expected to be fixed in a future release, but not in the upcoming release issue automated analysis not running solution verify the event emitter is properly configured in your soc solution playbook solution ensure the "auto analysis" toggle is set to true in the soc solution hero ai configuration asset solution check that the event emitter is placed after the observable completion update action solution verify the tracking id is being passed correctly from the record event trigger references https //docs swimlane com/solutions/soc solutions bundle docid\ bfikt1ja 3gr6ankvvd3y docid\ gofetk5tnxwtx8iyfbfev https //attack mitre org/ https //d3fend mitre org/